close
  • Ar chevron_right

    Cops can keep Ring footage forever, share it with anyone, Amazon confirms

    news.movim.eu / ArsTechnica – 2 days ago - 21:58

Your local police might like to interest you in this product.

Enlarge / Your local police might like to interest you in this product. (credit: Amazon )

Amazon subsidiary Ring, which makes home surveillance equipment and cameras, has "partnerships" with more than 600 law enforcement agencies nationwide, allowing those police access to users' footage. And while Ring says it sets terms around how and when it will share that footage with police, anything the police do with it afterward is entirely out of its hands, the company says.

The partnerships between Ring and police, and the terms of the agreements, have not been transparent to the general public. Instead, they've come out in bits and pieces in media reports throughout the year. Sen. Ed Markey (D-Mass.) in September demanded clearer answers from Amazon about Ring and published the company's responses this week.

In the pair of replies ( PDF 1 , PDF 2 ), Ring repeatedly deflects responsibility for the contents of captured footage to the consumers who capture it and the police departments that acquire it.

Read 30 remaining paragraphs | Comments

index?i=drW905KnnvQ:xNeTFKIgyRE:V_sGLiPBpWUindex?i=drW905KnnvQ:xNeTFKIgyRE:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Senators ask if Facebook really lets users opt out of location tracking

    news.movim.eu / ArsTechnica – 3 days ago - 19:41

The Facebook logo is displayed on a TV screen on September 9, 2019 in Paris, France.

Enlarge / The Facebook logo is displayed on a TV screen on September 9, 2019 in Paris, France. (credit: Chesnot | Getty )

Back in September, Facebook updated its location privacy settings for users. "Facebook is better with location," the company stressed, but users were free to turn off location tracking, and the company would be happy to tell them how. That setting, however, comes with an enormous loophole, and two US senators want the company to explain itself.

Senators Chris Coons (D-Del.) and Josh Hawley (R-Mo.) today sent a letter ( PDF ) to Facebook asking the company how, exactly, it tracks users' locations—even when location access and location history are disabled.

"We appreciate Facebook's attempt to proactively inform users about their privacy options," the senators wrote. "However, we are concerned that Facebook may not in fact be offering users the level of control that the company suggests these settings provide."

Read 11 remaining paragraphs | Comments

index?i=_16EjYqS3es:boeEx19QSi0:V_sGLiPBpWUindex?i=_16EjYqS3es:boeEx19QSi0:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Te chevron_right

    India says law permits agencies to snoop on citizen’s devices

    news.movim.eu / TechCrunch – 3 days ago - 14:57

The Indian government said on Tuesday that it is “empowered” to intercept, monitor, or decrypt any digital communication “generated, transmitted, received, or stored” on a citizen’s device in the country in the interest of national security or to maintain friendly relations with foreign states.

Citing section 69 of the Information Technology Act, 2000, and section 5 of the Telegraph Act, 1885, Minister of State for Home Affairs G. Kishan Reddy said local law empowers federal and state government to “intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.”

Reddy’s remarks were in response to the parliament , where a lawmaker had asked if the government had snooped on citizens’ WhatsApp, Messenger, Viber, and Google calls and messages.

The lawmaker’s question was prompted after 19 activists, journalists, politicians, and privacy advocates in India revealed earlier this month that their WhatsApp communications may have been compromised.

WhatsApp has said that Israeli spyware manufacturer NSO’s tools have been used to send malware to 1,400 users. The Facebook-owned company has in recent weeks alerted users whose accounts had been compromised. The social juggernaut earlier this month sued NSO alleging that its tools were being used to hack WhatsApp users .

NSO has maintained that it only sells its tools to government and intelligence agencies, an assertion that stoked fear among some that the state could be behind targeting the aforementioned 19 people — and perhaps more — in the country.

Reddy did not directly address the questions, but in a blanket written statement said that “authorized agencies as per due process of law, and subject to safeguards as provided in the rules” can intercept or monitor or decrypt “any information from any computer resource” in the country.

He added that each case of such interception has to be approved by the Union Home Secretary (in case of federal government) and by the Home Secretary of the State (in case of state government.)

Last month, the Indian government said it was moving ahead with its plan to revise existing rules to regulate intermediaries — social media apps and others that rely on users to create their content — as they are causing “unimaginable disruption” to democracy.

It told the country’s apex court that it would formulate the rules by January 15 of next year.

A report published today by New Delhi-based Software Law and Freedom Centre (SFLC) found that more than 100,000 telephone interception are issued by the federal government alone every year.

“On adding the surveillance orders issued by the state governments to this, it becomes clear that India routinely surveils her citizens’ communications on a truly staggering scale,” the report said.

The non-profit organization added that the way current laws that enable law enforcement agencies to conduct surveillance on citizens’ private communications are “opaque” as they are run “solely by the executive arm of the government, and make no provisions for independent oversight of the surveillance process.”

  • Te chevron_right

    A 10-point plan to reboot the data industrial complex for the common good

    news.movim.eu / TechCrunch – 3 days ago - 09:14

A posthumous manifesto by Giovanni Buttarelli, who until his death this summer was Europe’s chief data protection regulator, seeks to join the dots of surveillance capitalism’s rapacious colonization of human spaces, via increasingly pervasive and intrusive mapping and modelling of our data, with the existential threat posed to life on earth by manmade climate change.

In a dense document rich with insights and ideas around the notion that “data means power” — and therefore that the unequally distributed data-capture capabilities currently enjoyed by a handful of tech platforms sums to power asymmetries and drastic social inequalities — Buttarelli argues there is potential for AI and machine learning to “help monitor degradation and pollution, reduce waste and develop new low-carbon materials”. But only with the right regulatory steerage in place.

“Big data, AI and the internet of things should focus on enabling sustainable development, not on an endless quest to decode and recode the human mind,” he warns. “These technologies should — in a way that can be verified — pursue goals that have a democratic mandate. European champions can be supported to help the EU achieve digital strategic autonomy.”

“The EU’s core values are solidarity, democracy and freedom,” he goes on. “Its conception of data protection has always been the promotion of responsible technological development for the common good. With the growing realisation of the environmental and climatic emergency facing humanity, it is time to focus data processing on pressing social needs. Europe must be at the forefront of this endeavour, just as it has been with regard to individual rights.”

One of his key calls is for regulators to enforce transparency of dominant tech companies — so that “production processes and data flows are traceable and visible for independent scrutiny”.

“Use enforcement powers to prohibit harmful practices, including profiling and behavioural targeting of children and young people and for political purposes,” he also suggests.

Another point in the manifesto urges a moratorium on “dangerous technologies”, citing facial recognition and killer drones as examples, and calling generally for a pivot away from technologies designed for “human manipulation” and toward “European digital champions for sustainable development and the promotion of human rights”.

In an afterword penned by Shoshana Zuboff, the US author and scholar writes in support of the manifesto’s central tenet, warning pithily that: “Global warming is to the planet what surveillance capitalism is to society.”

There’s plenty of overlap between Buttarelli’s ideas and Zuboff’s — who has literally written the book on surveillance capitalism. Data concentration by powerful technology platforms is also resulting in algorithmic control structures that give rise to “a digital underclass… comprising low-wage workers, the unemployed, children, the sick, migrants and refugees who are required to follow the instructions of the machines”, he warns.

“This new instrumentarian power deprives us not only of the right to consent, but also of the right to combat, building a world of no exit in which ignorance is our only alternative to resigned helplessness, rebellion or madness,” she agrees.

There are no less than six afterwords attached to the manifesto — a testament to the store in which Buttarelli’s ideas are held among privacy, digital and human rights campaigners.

The manifesto “goes far beyond data protection”, says writer Maria Farrell in another contribution. “It connects the dots to show how data maximisation exploits power asymmetries to drive global inequality. It spells out how relentless data-processing actually drives climate change. Giovanni’s manifesto calls for us to connect the dots in how we respond, to start from the understanding that sociopathic data-extraction and mindless computation are the acts of a machine that needs to be radically reprogrammed.”

At the core of the document is a 10-point plan for what’s described as “sustainable privacy”, which includes the call for a dovetailing of the EU’s digital priorities with a Green New Deal — to “support a programme for green digital transformation, with explicit common objectives of reducing inequality and safeguarding human rights for all, especially displaced persons in an era of climate emergency”.

Buttarelli also suggests creating a forum for civil liberties advocates, environmental scientists and machine learning experts who can advise on EU funding for R&D to put the focus on technology that “empowers individuals and safeguards the environment”.

Another call is to build a “European digital commons” to support “open-source tools and interoperability between platforms, a right to one’s own identity or identities, unlimited use of digital infrastructure in the EU, encrypted communications, and prohibition of behaviour tracking and censorship by dominant platforms”.

“Digital technology and privacy regulation must become part of a coherent solution for both combating and adapting to climate change,” he suggests in a section dedicated to a digital Green New Deal — even while warning that current applications of powerful AI technologies appear to be contributing to the problem.

“AI’s carbon footprint is growing,” he points out, underlining the environmental wastage of surveillance capitalism. “Industry is investing based on the (flawed) assumption that AI models must be based on mass computation.

“Carbon released into the atmosphere by the accelerating increase in data processing and fossil fuel burning makes climatic events more likely. This will lead to further displacement of peoples and intensification of calls for ‘technological solutions’ of surveillance and border controls, through biometrics and AI systems, thus generating yet more data. Instead, we need to ‘greenjacket’ digital technologies and integrate them into the circular economy.”

Another key call — and one Buttarelli had been making presciently in recent years — is for more joint working between EU regulators towards common sustainable goals.

“All regulators will need to converge in their policy goals — for instance, collusion in safeguarding the environment should be viewed more as an ethical necessity than as a technical breach of cartel rules. In a crisis, we need to double down on our values, not compromise on them,” he argues, going on to voice support for antitrust and privacy regulators to co-operate to effectively tackle data-based power asymmetries.

“Antitrust, democracies’ tool for restraining excessive market power, therefore is becoming again critical. Competition and data protection authorities are realising the need to share information about their investigations and even cooperate in anticipating harmful behaviour and addressing ‘imbalances of power rather than efficiency and consent’.”

On the General Data Protection Regulation ( GDPR ) specifically — Europe’s current framework for data protection — Buttarelli gives a measured assessment, saying “first impressions indicate big investments in legal compliance but little visible change to data practices”.

He says Europe’s data protection authorities will need to use all the tools at their disposal — and find the necessary courage — to take on the dominant tracking and targeting digital business models fuelling so much exploitation and inequality.

He also warns that GDPR alone “will not change the structure of concentrated markets or in itself provide market incentives that will disrupt or overhaul the standard business model”.

“True privacy by design will not happen spontaneously without incentives in the market,” he adds. “The EU still has the chance to entrench the right to confidentiality of communications in the ePrivacy Regulation under negotiation , but more action will be necessary to prevent further concentration of control of the infrastructure of manipulation.”

Looking ahead, the manifesto paints a bleak picture of where market forces could be headed without regulatory intervention focused on defending human rights. “The next frontier is biometric data, DNA and brainwaves — our thoughts,” he suggests. “Data is routinely gathered in excess of what is needed to provide the service; standard tropes, like ‘improving our service’ and ‘enhancing your user experience’ serve as decoys for the extraction of monopoly rents.”

There is optimism too, though — that technology in service of society can be part of the solution to existential crises like climate change; and that data, lawfully collected, can support public good and individual self-realization.

“Interference with the right to privacy and personal data can be lawful if it serves ‘pressing social needs’,” he suggests. “These objectives should have a clear basis in law, not in the marketing literature of large companies. There is no more pressing social need than combating environmental degradation” — adding that: “The EU should promote existing and future trusted institutions, professional bodies and ethical codes to govern this exercise.”

In instances where platforms are found to have systematically gathered personal data unlawfully Buttarelli trails the interesting idea of an amnesty for those responsible “to hand over their optimisation assets”– as a means of not only resetting power asymmetries and rebalancing the competitive playing field but enabling societies to reclaim these stolen assets and reapply them for a common good.

While his hope for Europe’s Data Protection Board — the body which offers guidance and coordinates interactions between EU Member States’ data watchdogs — is to be “the driving force supporting the Global Privacy Assembly in developing a common vision and agenda for sustainable privacy”.

The manifesto also calls for European regulators to better reflect the diversity of people whose rights they’re being tasked with safeguarding.

The document, which is entitled Privacy 2030: A vision for Europe , has been published on the website of the International Association of Privacy Professionals ahead of its annual conference this week .

Buttarelli had intended — but was finally unable — to publish his thoughts on the future of privacy this year, hoping to inspire discussion in Europe and beyond. In the event, the manifesto has been compiled posthumously by Christian D’Cunha, head of his private office, who writes that he has drawn on discussions with the data protection supervisor in his final months — with the aim of plotting “a plausible trajectory of his most passionate convictions”.

  • Ar chevron_right

    Man charged with theft for removing police GPS tracker from his car

    news.movim.eu / ArsTechnica – 4 days ago - 21:25

Indiana Supreme Court Justice Steven David

Enlarge / Indiana Supreme Court Justice Steven David (credit: Indiana Supreme Court)

Back in 2012, the US Supreme Court ruled that it's illegal for the police to attach a GPS tracking device to someone's car without a warrant. But what if you find a GPS tracking device on your car? Can you remove it?

A little more than a year ago, the state of Indiana charged a suspected drug dealer with theft for removing a government-owned GPS tracking device from his SUV. This month, the state's Supreme Court began considering the case , and some justices seemed skeptical of the government's argument.

"I'm really struggling with how is that theft," said Justice Steven David during recent oral arguments .

Read 12 remaining paragraphs | Comments

index?i=-jEPjQpBDvE:F3-ssRmevB0:V_sGLiPBpWUindex?i=-jEPjQpBDvE:F3-ssRmevB0:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Te chevron_right

    Microsoft announces changes to cloud contract terms following EU privacy probe

    news.movim.eu / TechCrunch – 4 days ago - 13:27

Chalk up another win for European data protection: Microsoft has announced changes to commercial cloud contracts following privacy concerns raised by European Union data protection authorities.

The changes to contactual terms will apply globally and to all its commercial customers — whether public or private sector entity, or large or small business, it said today.

The new contractual provisions will be offered to all public sector and enterprise customers at the beginning of 2020, it adds.

In October Europe’s data protection supervisor warned that preliminary results of an investigation into contractual terms for Microsoft’s cloud services had raised serious concerns about compliance with EU data protection rules and the role of the tech giant as a data processor for EU institutions.

Writing on its EU Policy blog , Julie Brill, Microsoft’s corporate VP for global privacy and regulatory affairs and chief privacy officer, announces the update to privacy provisions in the Online Services Terms (OST) of its commercial cloud contracts — saying it’s making the changes as a result of “feedback we’ve heard from our customers”.

“The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud,” she writes.

She also says the changes reflect those Microsoft developed in consultation with the Dutch Ministry of Justice and Security — which comprised both amended contractual terms and technical safeguards and settings — after the latter carried out risk assessments of Microsoft’s OST earlier this year and also raised concerns.

Specifically, Microsoft is accepting greater data protection responsibilities for additional processing involved in providing enterprise services, such as account management and financial reporting, per Brill:

Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services. In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.

Microsoft currently designates itself as a data processor, rather than data controller for these administrative and operations functions that can be linked to provision of commercial cloud services, such as its Azure platform.

But under Europe’s General Data Protection framework a data controller has the widest obligations around handling personal data — with responsibility under Article 5 of the GDPR for the lawfulness, fairness and security of the data being processed — and therefore also greater legal risk should it fail to meet the standard.

So, from a regulatory point of view, Microsoft’s current commercial contract structure poses a risk for EU institutions of user data ending up being processed under a lower standard of legal protection than is merited.

The announced switch from data processor to controller should raise the bar around associated purposes that Microsoft may also provide to commercial customers of its cloud services.

For the latter purpose itself, Microsoft says it will remain the data processor, as well as for improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.

In August a conference organized jointly by the EU’s data protection supervisor and and the Dutch Ministry brought together EU customers of cloud giants to work on a joint response to regulatory risks related to cloud software provision.

Earlier this year the Dutch Ministry obtained contractual changes and technical safeguards and settings in the amended contracts it agreed with Microsoft.

“The only substantive differences in the updated terms [that will roll out globally for all commercial cloud customers] relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base,” Brill writes now.

Microsoft’s blog post also points to other global privacy-related changes it says were made following feedback from the Dutch MOJ and others — including a roll out of new privacy tools across major services; specific changes to Office 365 ProPlus ; and increased transparency regarding use of diagnostic data.

  • Te chevron_right

    TriNet sent remote workers an email that some thought was a phishing attack

    news.movim.eu / TechCrunch – 5 days ago - 21:23

It was the one of the best phishing emails we’ve seen… that wasn’t.

Phishing remains one of the most popular attack choices for scammers. Phishing emails are designed to impersonate companies or executives to trick users into turning over sensitive information, typically usernames and passwords, so that scammers can log into online services and steal money or data. But detecting and preventing phishing isn’t just a user problem — it’s a corporate problem too, especially when companies don’t take basic cybersecurity precautions and best practices to hinder scammers from ever getting into a user’s inbox.

Enter TriNet, a human resources giant, which this week became the poster child for how how to make a genuine email to its customers look inadvertently as suspicious as it gets.

Remote employees at companies across the U.S. who rely on TriNet for access to outsourced human resources, like their healthcare benefits and workplace policies, were sent an email this week as part of an effort to keep employees “informed and up-to-date on the labor and employment laws that affect you.”

Workers at one Los Angeles-based health startup that manages its employee benefits through TriNet all got the email at the same time. But one employee wasn’t convinced it was a real email, and forwarded it — and its source code — to TechCrunch.

TriNet is one of the largest outsourced human resources providers in the United States, primarily for small-to-medium-sized businesses that may not have the funding to hire dedicated human resources staff. And this time of year is critical for companies that rely on TriNet, since health insurance plans are entering open enrollment and tax season is only a few weeks away. With benefit changes to consider, it’s not unusual for employees to receive a rash of TriNet-related emails towards the end of the year.

But this email didn’t look right. In fact when we looked under the hood of the email, everything about it looked suspicious.

This is the email that remote workers received. TriNet said the use of an Imgur-hosted image in the email was “mistakenly” used. (Image: TechCrunch/supplied)

We looked at the source code of the email, including its headers. These email headers are like an envelope — they say where an email came from, who it’s addressed to, how it was routed, and if there were any complications along the way, such as being marked as spam.

There were more red flags than we could count.

Chief among the issues were that the TriNet logo in the email was hosted on Imgur, a free image-hosting and meme-sharing site, and not the company’s own website. That’s a common technique among phishing attackers — they use Imgur to host images they use in their spam emails to avoid detection. Since the image was uploaded in July, that logo was viewed more than 70,000 times until we reached out to TriNet, which removed the image, suggesting thousands of TriNet customers had received one of these emails. And, although the email contained a link to a TriNet website, the page that loaded had an entirely different domain with nothing on it to suggest it was a real TriNet-authorized site besides a logo, which if it were a phishing site could’ve been easily spoofed.

Fearing that somehow scammers had sent out a phishing email to potentially thousands of TriNet customers, we reached out to security researcher John Wethington, founder of security firm Condition:Black, to examine the email.

It turns out he was just as convinced as us that the email may have been fake.

“As hackers and self-proclaimed social engineers, we often think that spotting a phishing email is ‘easy’,” said Wethington. “The truth is it’s hard.”

“When we first examined the email every alarm bell was going off. The deeper we dug into it the more confusing things became. We looked at the domain name records, the site’s source code, and even the webpage hashes,” he said.

There was nothing, he said, that gave us “100% confidence” that the site was genuine until we contacted TriNet.

TriNet spokesperson Renee Brotherton confirmed to TechCrunch that the email campaign was legitimate, and that it uses the third-party site “for our compliance ePoster service offering. She added: “The Imgur image you reference is an image of the TriNet logo that Poster Elite mistakenly pointed to and it has since been removed.”

“The email you referenced was sent to all employees who do not go into an employer’s physical workspace to ensure their access to required notices,” said TriNet’s spokesperson.

When reached, Poster Elite also confirmed the email was legitimate.

This is not a phishing site, but it sure looks like one. (Image: TechCrunch)

How did TriNet get this so wrong? This culmination of errors had some who received the email worried that their information might have been breached.

“When companies communicate with customers in ways that are similar to the way scammers communicate, it can weaken their customer’s ability over time to spot and shut down security threats in future communications,” said Rachel Tobac, a hacker, social engineer, and founder of SocialProof Security.

Tobac pointed to two examples of where TriNet got it wrong. First, it’s easy for hackers to send spoofed emails to TriNet’s workers because TriNet’s DMARC policy on its domain name is not enforced.

Second, the inconsistent use of domain names is confusing for the user. TriNet confirmed that it pointed the link in the email — posters.trinet.com — to eposterservice.com , which hosts the company’s compliance posters for remote workers. TriNet thought that forwarding the domain would suffice, but instead we thought someone had hijacked TriNet’s domain name settings — a type of attack that’s on the increase , though primarily carried out by state actors. TriNet is a huge target — it stores workers’ benefits, pay details, tax information and more. We had assumed the worst.

“This is similar to an issue we see with banking fraud phone communications,” said Tobac. “Spammers call bank customers, spoof the bank’s number, and pose as the bank to get customers to give account details to ‘verify their account’ before ‘hearing about the fraud the bank noticed on their account — which, of course, is an attack,” she said.

“This is surprisingly exactly what the legitimate phone call sounds like when the bank is truly calling to verify fraudulent transactions,” Tobac said.

Wethington noted that other suspicious indicators were all techniques used by scammers in phishing attacks. The posters.trinet.com subdomain used in the email was only set up a few weeks ago, and the eposterservice.com domain it pointed to used an HTTPS certificate that wasn’t associated with either TriNet or Poster Elite.

These all point to one overarching problem. TriNet may have sent out a legitimate email but everything about it looked problematic.

On one hand, being vigilant about incoming emails is a good thing. And while it’s a cat-and-mouse game to evade phishing attacks, there are things that companies can do to proactively protect themselves and their customers from scams and phishing attacks. And yet TriNet failed in almost every way by opening itself up to attacks by not employing these basic security measures.

“It’s hard to distinguish the good from the bad even with proper training, and when in doubt I recommend you throw it out,” said Wethington.

  • Ar chevron_right

    “We need help from you” on creating privacy law, FTC chair tells Congress

    news.movim.eu / ArsTechnica – Thursday, 14 November - 20:07

A man in a suit speaks into a microphone.

Enlarge / FTC Chairman Joseph Simons testifying about antitrust matters before a Senate committee in September 2019. (credit: Alex Edelman | Bloomberg | Getty Images )

In testimony before a House subcommittee Wednesday, Federal Trade Commission Chairman Joseph Simons renewed his call for Congress to pass new privacy legislation, telling representatives, essentially, he can't enforce a law that doesn't exist.

Simons was on Capitol Hill testifying in a hearing on "Online Platforms and Market Power," the probe the House Antitrust subcommittee launched in June to dig into Apple, Amazon, Facebook, and Google.

At the highest level, the FTC is responsible for basically two things: protecting competition and protecting consumers. To that end, it's one of the two bodies with antitrust oversight, sharing responsibility with the Justice Department for reviewing mergers and challenging anticompetitive behavior.

Read 12 remaining paragraphs | Comments

index?i=Drr6PRpIwtE:eJTKlP1_W2s:V_sGLiPBpWUindex?i=Drr6PRpIwtE:eJTKlP1_W2s:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA